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In this tutorial, we illustrate through examples how we can combine two classical models, namely 
those of pushdown automata (PDA) and timed automata, in order to obtain timed pushdown automata 
(Tpda) IJIIII- Furthermore, we describe how the reachability problem for TPDAs can be reduced to 
the reachability problem for Pdas. 

1 Introduction 

In this tutorial, we describe a timed extension of the widely used model of Pushdown Automata (PDA) 
llKTl. A PDA computes by moving between states according to some given transition rules. Additionally, 
a PDA may utilize a stack to store information. This information is encoded in stack symbols, and the 
PDA may add a symbol {push) to or remove a symbol {pop) from the stack. The defining feature of a 
stack is that it has ordering on its elements, traditionally from top to bottom; the PDA can only access the 
topmost element. 

An interesting question is what happens to this model when we extend it with quantitative properties. 
Will basic problems, such as state reachability, still be decidable? In particular, we are interested in 
extending the model with continuous time in a similar manner in which Timed Automata fSl extend Finite 
Automata. Thus, we consider Timed Pushdown automata Tpda. A TPDA is a PDA that is augmented 
with a finite number of clocks. It operates in the following manner: 

• at any point in the computation, time may elapse by some real number, increasing the values of all 
clocks 

• the values of clocks constrain the actions of the automaton 

In addition to the set of clocks, we also store the age of each stack symbol. We can view this as an 
additional clock. Accordingly, the ages of stack symbols increase whenever time elapses. Furthermore, 
possible actions of the automaton may be restricted by the age of topmost stack symbol. 

The Tpda model thus subsumes both the model of pushdown automata and timed automata. More 
precisely, we obtain the former if we prevent the Tpda from using the timed information (all the timing 
constraints are trivially valid); and obtain the latter if we prevent the Tpda from using the stack (no 
symbols are pushed to or popped from the stack). Notice that a Tpda induces a system that is infinite 
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Figure 1 : A simple PDA 



in two dimensions, namely it gives rise to a stack containing an unbounded number of symbols each of 
which is equipped with a real- valued clock. 

Outline In the next section, we present an overview of Pushdown Automata. In Section [3l we describe 
the timed extension of PDA and show some examples of computations. In Section |4l we recall and 
extend the notion of regions, and show how we can use them to define a symbolic encoding of TPDA 
configurations. Finally, in Section[5]we describe how to construct a PDA which simulates a given TPDA. 
The section ends with a detailed example of how the aforementioned TPDA computation is simulated. 



2 PDA 

In this section, we informally describe the model of Pushdown Automata. A Pushdown Automaton 
(PDA) is a tuple (5,5,-,„Y,r, A) consisting of a finite set of states S, an initial state 5,-,„7, a finite stack 
alphabet Y, and a finite set of transition rules A. During the operation of a PDA, it may store information 
in a stack. It may add information, which is referred to as pushing, or it may remove information, which 
is called popping. The stack is a last-in, first-out queue, and access is restricted to the first element. The 
stack alphabet contains all possible symbols that may be stored in the stack, and the set of transition rules 
describe the manner in which the automaton is allowed to move between states. Each transition rule is of 
the form {s,oip,t). The rule contains a source state s, a target state t and a stack operation op. The stack 
operation is either push(a), pop(a) or nop (here, a is an arbitrary symbol from the stack alphabet). A 
transition rule describes that the automaton may move from stot while performing the stack operation 
op. The operation push(a) pushes a onto the stack, and pop(a) pops it. The operation nop is an "empty" 
operation which can be used to change state without modifying the stack. Figure [U shows a PDA with 
the state set {s\,S2,ST,,S4,Si,S(,} and stack alphabet {a,b}. The initial state of the automaton is ^'i. The 
transition rules are drawn as arrows between states, labeled with the stack operation (missing labels mean 
nop). 

At any point during a computation, the PDA is in a certain configuration, defined by the current 
state and the current stack content. Figure |2]shows the configurations that appear along a computation in 
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which the automaton starts from its initial configuration (the state is si and the stack is empty), moves to 
S2 while pushing a, then moves to 53 while pushing b, and finally pops b and moves to S4. 
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Figure 2: Computation of a PDA 



Reachability Given a pushdown automaton, the reachability problem is the problem of deciding whether 
the automaton can reach a particular state s. In other words, we ask whether there is a computation of 
the automaton (starting from the initial configuration) that visits a configuration where the state is s, 
regardless of the content of the stack. It turns out that for the automaton in Figure [T] the state 5^4 is reach- 
able but the state is not. This is because in order to move from to S(^, the automaton has to pop a. 
However, the topmost symbol when the automaton is in state will always be b. For PDA, reachabihty 
is decidable in polynomial time Q. 

3 Timed Pushdown Automata 

The classical model of Timed Automata extends finite state automata with a finite set of real-valued 
clocks. We extend PDA in a similar way, in the sense that a Timed Pushdown Automaton (Tpda) consists 
of a finite set of states S, an initial state 5„,„, a finite stack alphabet F, a finite set of transition rules A, and 
a finite set of clocks X. The transition rules are also extended in the sense that they can read and write the 
values of clocks. More specifically, a transition rule (5,op,f) refers not only to stack operations. Instead, 
op can also be one of the clock operations x € / ? and x I. The operation x £ 11 checks whether the 
value of the clock x is in the interval /. For example, the transition rule {s,x G [1 : 3] 7,t) can only be 
performed when the value of x is between 1 and 3. The operation x I nondeterministically resets the 
value of the clock x to some value in the interval /. Additionally, each stack symbol is equipped with a 
value representing its age. We modify the stack operations to use these values: push (a,/) pushes a and 
nondeterministically sets its initial age to some value in the interval /, while pop (a,/) may only pop the 
topmost stack symbol if it is equal to a and its age is in the given interval /. 

As with PDA, the semantics of Tpda are given by a transition system over configurations. The 
configurations of a Tpda need to contain additional information, namely the values of all clocks and the 
ages of all stack symbols. The values of all clocks are given by a clock valuation; a mapping X ^ 
(where M-" stands for the non-negative real numbers). To capture the ages of clocks symbols, we store 
tuples in the stack. Each tuple consists of (i) a stack symbol from the stack alphabet F and (ii) its 
corresponding age. Figure |4]and Figure |5]show an example computation of a Tpda (note that this 
computation is not related to the automaton in Figure |3]l. For example, in the configuration cq in Figure 
131 the automaton is in the state with an empty stack, and the values of the two clocks x and y are 0. In 
the configuration C3 in the same figure, the stack consists of a symbol a which has age 2.4. 

There are two different types of transitions between configurations of a Tpda; discrete and timed. 
Discrete transitions are direct applications of the transition rules in A. Timed transitions simulate the 
passage of time. At any point in the computation, the automaton may take a timed transition, which 
means that all clock values and ages of stack symbols are increased by a positive real number. Figures 51 
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Figure 3: A simple TPDA 



and|5]show a computation of a TPDA with clocks X = {x,y} and stack alphabet F = {a,b,c,d}. We will 
describe the effect of each type of transition with an example from these figures. 

Between C2 and C3, the TPDA moves from S2 to 53 and pushes the symbol a onto an empty stack, 
setting its initial age to 2.4, a value which is in the allowed interval [1 : 3). Recall that the initial age 
is nondeterministically chosen from the given interval; in the push between C6 and cj the same interval 
is given, but the chosen value happens to be 2.9 instead. The operation x I chooses and assigns a 
value nondeterministically. From cy, the automaton resets the value of x. Its value, which was previously 
6.1, is set to some value in the interval [2:3], in this case 2.1. Assume that A contains a transition 
rule {si,y G (1 : 00) 7,55). In C21, the TPDA tests if the value of y is strictly greater than 1. It is, so the 
transition rule is applied, and the state changes to S5, as shown in configuration C22- The above transitions 
are all examples of discrete transitions, i.e. transitions that are induced by transition rules in A. Figure |4] 
and Figure |5] also contain a number of timed transitions. For example, the transition between cg and cg 
represents the passage of 0.9 time units. In C9, the values of x and y and the ages of a and b have all been 
increased by 0.9. 



Reachability In a similar manner to the reachability problem for PDA, the reachability problem for 
Tpda is the problem of deciding whether a particular state is reachable from the initial configuration or 
not. In other words, we ask whether it is possible to reach a configuration c such that the state of c is the 
given target state. 

Notice that in the definition of the reachability problem, we do not place any restrictions on the stack 
contents or on the values of the clocks. However, the reachability of a state in a Tpda may, in general, 
depend on the clock values and the ages of the stack symbols. For example, the state S4 in Figure |3]is not 
reachable because of timing limitations. 

Since the set of configurations in a Tpda is infinite, we can not solve the reachability problem by 
iteratively computing the successors of the initial configuration until a fixed point is reached. Further- 
more, we cannot use the classical techniques that solve the reachability problem for PDA |6| since those 
constructions rely on the stack alphabet being finite. Therefore, we will now describe a symbolic repre- 
sentation of clock valuations and ages of stack symbols. We will use this representation to construct a 
symbolic PDA that simulates the behavior of the given Tpda. 
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Figure 4: A computation of a TPDA 
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Figure 5: A computation of a TPDA (continued) 



AbduUa et al. 



7 



4 Regions 

In this section, we describe a symbolic region encoding to represent the infinitely many clock valuations 
of a Tpda in a finite way. In the following section, we show how to construct, using this encoding, a 
symbolic PDA that simulates the behavior of a Tpda. 

In the classical paper by Alur and Dill on timed automata [5 |, a region represents a set of clock 
valuations with "similar behaviors". The representation splits a real number into two parts: its integral 
value, i.e. its value rounded down to the nearest integer, and its fractional part, i.e. what is left when 
we subtract it by its integral value. For example, the integral value of tt is 3, and its fractional part is 
0.141592 The main idea is that two configurations are equivalent if the following conditions hold: 

• the integral values are identical in both valuations, up to a constant Cmax 

• the fractional part of any clock is either in both valuations, or positive in both valuations 

• the orderings of the fractional parts of all clocks are identical in both valuations 

If the integral values are the same, the valuations will satisfy the same set of constraints. If the 
two valuations agree on the ordering of the fractional parts, they agree on the order in which the clocks 
will change integral values (and therefore in which order the constrained transitions will be enabled or 
disabled). The constant Cmax is the largest constant appearing syntactically in the automaton. All values 
that are above Cmax are indistinguishable form each other, so we can represent them symbolically with ft). 
In our example computation (Figure |4]and Figure |5]l, this constant is 7. 

We will use a representation of regions inspired by [3. 4 1, that suites our purposes. In our represen- 
tation, regions are sequences of sets. Each set contains one or more clocks together with their integral 
values. Their positioning in the sequence encodes the ordering of the fractional parts. If two clocks are 
in the same set, their fractional parts are equal. The first set contains all clocks with fractional part 0, and, 
for technical reasons, is the only set which may be empty. For example, the region Ri in Figure ^rep- 
resents clock valuations in which the values of x\ and X2 are exactly and 2, respectively. Furthermore, 
the integral value of X3 is 1 and the integral value of X4 is 2, and so on. Finally, the clocks are ordered 
in the sequence by increasing fractional part. Thus, the fractional parts of all clocks except xi and X2 are 
strictly positive, and the fractional parts of xg and xy are the largest in the sequence (they are in the same 
set, so their fractional parts are equal). 

Region rotations Given a region, we may simulate passage of time by rotating it. When time passes, 
one of two things may happen: 

• Some items have fractional part 0, in which case any passage of time is enough to "push" them out 

• No items have fractional part 0, in which case the items with the largest fractional part reach their 
next integral values. 

For instance, consider the region R2 in Figure |6] The next change in the region representation is that 
the values of xg and xy reach 4 and 1, respectively. 

5 Translation 

Our goal is is to reduce the reachability problem for Tpda to the reachability problem for PDA by 
translating the given Tpda to a Pda which simulates it. We will first describe a naive approach for 
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Figure 6: Example regions 



constructing such a PDA. Then we show the problem with this approach and explain how to amend it. 
At the end of this section, we show in detail how the computation in Figure |4] and Figure |5]is simulated 
by the Pda. 

In the original paper on timed automata O, the timed automaton is simulated by a region automaton, 
i.e. a finite state automaton that encodes the regions in its states. This abstraction relies on the fact that 
the set of clocks is fixed and finite. Since a TPDA may in general operate on unboundedly many clocks 
(the stack is unbounded, and each symbol has an age), we cannot rely entirely on this abstraction. 

Instead, we store the regions in the stack. Each symbol in the stack of the TPDA is represented in the 
stack of the PDA by a region that relates the stack symbol with all clocks. For example, consider Run 1 
shown in Figure |2l At the beginning, the stack contains a region in which the integral values of a and x 
are 2 and 1, respectively, and the fractional part of x is larger than the fractional part of a, which is in turn 
larger than 0. The PDA then simulates the pushing of b with an initial age in [0 : 1]. This creates a new 
region on top of the stack which relates b to x. The region shown in the run is one of 4 possible regions. 
Next, the value of x is set to some value in [1 : 2]. In our case, it happens that x gets the same fractional 
part as b. 

Unfortunately, it is not enough to relate each stack symbol to all clocks. Consider the final stack of 
Run 1 in Figure |2l What is the resulting stack if we now pop bl It is clear that the resulting stack must 
contain a and x. As for constraints on their values, we know from the topmost region that the fractional 
part of X is positive. We also know, from the region below, that the fractional part of a is positive. If we 
combine this information, we end up with one of the stacks in Figure [8] 

To see the problem, consider Run 2 in [7] This run ends up with the same stack. However, the 
fractional part of x in this run can not be equal to the fractional part of a, since the value of x has not been 
reset. This rules out the stack in the middle in Figure |8] Therefore, we need to relate the fractional parts 
of a and b. A tempting solution is to simply record the value of a in the region representing b. However, 
since a PDA needs to have a finite stack alphabet, we can only record the values of finitely many previous 
stack symbols. At the same time, it is easy to construct counter-examples (similar to the one above) in 
which we need to keep the relationship between stack symbols that lie arbitrarily far apart in the stack. 
In m, we show that we can in fact enrich the regions in a finite way in order to construct a PDA which 
simulates a TPDA. We will now explain the main points of this construction. 
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Figure 8: Result of popping 



First, let us define the notion of items. An item is either a plain item or a shadow item. A plain 
item represents the value of a clock or the age of a stack symbol. We add a special reference clock h, 
which is always except when simulating a pop transition. In other words, this reference clock is not 
changed when we simulate timed transitions. Thus, the set of plain items consists of X UFU {h}. On 
the other hand, shadow items record the values of the corresponding plain items in the region below. For 
each clock x and stack symbol a, the set of shadow items contains the symbols x* and a*. Additionally, 
this set includes a shadow copy h* of the reference clock. The shadow items are used to remember the 
amount of time that elapses while the plain items they represent are not on the top of the stack. A region 
is then represented by a sequence of sets of items. 

To illustrate this, let us simulate a push transition. Assume that the region Ri in Figure |9] is the 
topmost region in the stack. The region Ri records the integral values and the relationships between the 
clocks xi,X2, the topmost stack symbol a and the reference clock h. It also relates these symbols to the 
values ofx\,X2,b and h in the previous topmost region. Now, if we simulate the pushing of c with initial 
age in [0 : 1], one of the possible resulting regions is /?2. The region R2 uses x*, x* and h* to record the 
previous values of the clocks (initially, their values are identical to those of their plain counterparts). The 
value of the previous topmost symbol a is recorded in a*. Finally, the region relates the new topmost 
stack symbol c with all the previously mentioned symbols. 



10 



Adding Time to PDA 





[ («M) [ 


f (^1,4) 
[ fi>4) 




,3) 
.3) 














(«,i> 1 

r.o) J 


(^1,4) 




3) 
5) 


(4.3) 



Figure 9: Example regions with shadow items 



(c,6) 
(x,2) 




(-t*,a)> 


(/,5) 
(J,5) 




BR 








(^,»> 


(a*, CO) 






(.V*,5> 

(y,5> 



(h,0) (x,3) 



Figure 10: Simulating pop 



Simulation We will now describe how to simulate the rest of the transitions, i.e. timed transitions, 
X e n, X -(^ I, and pop(a,/). 

Timed transitions are simulated by rotating the top-most region, as described in the previous section. 
Note that the reference clock h is not affected by these rotations. For example, the rotation of the topmost 
region between Sig and S19 simulates the timed transition between c\g and C19 in Figured The reference 
clock h stays in the first set, but all other items are rotated in a way which is consistent with the passage 
of 1.75 time units. 

The operation x £ 11 checks whether the value of x is in the interval / or not. For every transition 
rule {s,x E /?,?) in the TPDA and every region that satisfies the condition x £ I,we create a sequence of 
two transition rules which first pops the region in question and then pushes it back. 

The reset operation x I sets the value of clock x to some value in the interval /. We simulate this 
by first popping the topmost region and then nondeterministically pushing a region which is identical 
except for the fact that x has been updated so that x £ I. Note that there may be several regions satisfying 
this; the region we push is chosen nondeterministically from these. 

The interesting operation is pop: the operation merges the information in two different regions. The 
simulation is performed in two steps. First, the next top-most region is "refreshed", by repeatedly rotating 
it until its items are updated in a manner that reflects their current values. This is illustrated in Figure [TOl 
the region Ri is rotated until the shadow items in R2 match their plain counterparts in Ri. In the figure, 
this matching is illustrated by dotted lines. Next, we combine the regions in the following way: 

• The plain stack symbol is selected from the lower region (Ri) 

• The plain clock symbols are selected from the upper region {R2)', it contains their most recent 
values 
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• Shadow items are selected from the lower region 

For example, the result of combining Ri and R2 is the topmost region in Su- In this way, we simulate 
the passage of time only on the topmost region, but the effect "ripples" down the stack when popping. 
Thus, we only encode a finite amount of additional information in the regions, so the stack alphabet is 
kept finite. 



Results Given a TPDA, we can solve the reachability problem by constructing a PDA which simulates 
it, as described in this section. The target state is reachable in the TPDA if and only if it is reachable in 
the PDA. However, the size of the Pda might be exponential in the size of the TPDA. The following 
theorem states the main result in lUl : 

Theorem 1 The reachability problem for TPDA is ExpTlME-complete. 



Figure 11: Simulation of a TPDA computation 
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